Back to Walkthroughs
Android Info Stealer
Let's Defend Malware Analysis [Easy]Easy

Android Info Stealer

#tutorial

Challenge Description

image

Solution and Analysis

The first step is to decompress the password-protected archive and load the resulting APK file into JADX-GUI for static analysis. JADX decompiles the Android DEX bytecode back into readable Java code, which forms the basis of our investigation.

Question 1: What is the package name for the app?

  • Answer: com.example.appcode.appcode
  • Location: AndroidManifest.xml
  • Explanation: The package name is a fundamental attribute of any Android application. It serves as a unique identifier for the app on a device and in the Google Play Store. This information is always declared in the root <manifest> tag of the AndroidManifest.xml file. A generic package name like com.example... often suggests that this sample is either a test build or was developed by an unsophisticated actor who didn't bother to change the default name from their IDE.

Question 2: What is the name of the background service declared in the manifest?

  • Answer: com.example.appcode.appcode.CMDService
  • Location: AndroidManifest.xml
  • Explanation: The AndroidManifest.xml file must declare all core application components, including services. We can find the service declaration within the <application> tag. A <service> tag with the android:name attribute points to com.example.appcode.appcode.CMDService. A service is a component that can run in the background without a user interface, making it the perfect place for malware to house its main command-and-control (C2) and data-stealing logic.

Question 3: Which permission allows an app to access information about Wi-Fi networks?

  • Answer: android.permission.ACCESS_WIFI_STATE
  • Location: AndroidManifest.xml
  • Explanation: Android's security model requires applications to request permissions for sensitive operations. These requests are listed in the manifest using <uses-permission> tags. By inspecting these tags, we can create a profile of the malware's intended capabilities. The ACCESS_WIFI_STATE permission allows the app to view the status of Wi-Fi connectivity, which is useful for device fingerprinting and ensuring an internet connection is available before exfiltrating data.

Question 4: What permission is needed for an app to determine its approximate location using network-based methods?

  • Answer: android.permission.ACCESS_COARSE_LOCATION
  • Location: AndroidManifest.xml
  • Explanation: Continuing our analysis of the <uses-permission> tags in the manifest, we find ACCESS_COARSE_LOCATION. This permission allows the app to get the device's approximate location based on cell towers and Wi-Fi access points. This is a key indicator of spyware functionality, as the malware is clearly designed to track its victims.

Question 5: What is the name of the method that retrieves the call log information?

  • Answer: listCallLog
  • Location: Source code > com.example.appcode.appcode > CallLogLister.java
  • Explanation: The malware author has organized their code into different classes based on functionality. A class named CallLogLister is specifically designed to handle call log operations. Inside this class, we find a method named listCallLog. This method contains the logic to query the Android Content Provider for call history, making it the function directly responsible for this specific data theft.

Question 6: During the analysis of the “CallLogLister” class. What is the number of fields are included in the call log information?

  • Answer: 5
  • Location: Source code > com.example.appcode.appcode > CallLogLister.java
  • Explanation: By examining the listCallLog method, we can see the malware constructs a JSONObject for each entry in the call log. We simply need to count how many times the .put() method is called on the JSONObject inside the loop. The code collects the Phone Number, Call Type, Call Date, Call Duration, and a unique ID, for a total of 5 distinct fields per call record.

Question 7: Malware tries to get a lot of information about the battery of android device. What is the last field?

  • Answer: voltage
  • Location: Source code > com.example.appcode.appcode > SystemInfo.java
  • Explanation: Similar to the call logs, the malware uses a dedicated SystemInfo class to gather a wide range of device information for fingerprinting. Inside this class, a method (likely named putInfo or similar, which is called by CMDService) collects battery data. By inspecting the series of .put() calls related to battery information, we can see the last piece of data it gathers is the battery's voltage.

Question 8: What command should be used to get SMS data?

  • Answer: smslogs
  • Location: Source code > com.example.appcode.appcode > CMDService.java
  • Explanation: The CMDService class contains a large processCMD method with a switch statement. This structure acts as the C2 command dispatcher. By reading through the case statements, we can map command strings to their actions. The case "smslogs": block initiates the process of reading the device's SMS messages and sending them to the C2 server.

Question 9: Which command is used to update the malware app?

  • Answer: updateApp
  • Location: Source code > com.example.appcode.appcode > CMDService.java
  • Explanation: Within the same processCMD switch statement, we find the case "updateApp":. This command gives the attacker the ability to remotely update the malware to a newer version, adding new features or fixing bugs without needing the victim to install anything new. This demonstrates a more advanced and persistent threat.

Question 10: What command is used to take screenshots?

  • Answer: capscreen
  • Location: Source code > com.example.appcode.appcode > CMDService.java
  • Explanation: Analyzing the processCMD switch statement further reveals the case "capscreen":. This is a powerful spyware feature that allows the attacker to capture the victim's screen at any moment, potentially stealing credentials, private messages, or other sensitive visual information.

Question 11: Which command is used to record from the microphone?

  • Answer: recordmic
  • Location: Source code > com.example.appcode.appcode > CMDService.java
  • Explanation: The processCMD switch statement also contains the case "recordmic": command. This function allows the attacker to remotely activate the device's microphone and record ambient audio, effectively turning the phone into a remote listening device.

Question 12: What is the build type specified in this BuildConfig class?

  • Answer: release
  • Location: Source code > android.support.v4 > BuildConfig.java
  • Explanation: This is a tricky question. The APK contains two BuildConfig files. The one for the main application (com.example.appcode.appcode) is set to debug. However, the question refers to the BuildConfig class from the included Android Support Library v4. Navigating to android.support.v4.BuildConfig shows its BUILD_TYPE is set to release. This is common, as developers often use release versions of external libraries even while debugging their own code.

Question 13: What is the C2 server which is used by malware to send stolen device system information?

  • Answer: http://android.viral91.xyz/admin/webservices
  • Location: Source code > com.example.appcode.appcode > setting.java
  • Explanation: The Command and Control (C2) server address is the destination for all stolen data. Our analysis path starts in CMDService, where network tasks are sent to the HttpAsyncTask. This class uses an object called httpCall to perform the network request. Inside the httpCall class, the HttpPost command is initiated with the URL setting.weburl. Finally, navigating to the setting.java class, we find the weburl static string variable, which holds the hardcoded C2 server address. This is a critical Indicator of Compromise (IOC).

Summary and Conclusion

The analyzed Android application is a multi-functional Spyware/Remote Access Trojan (RAT) designed to exfiltrate a wide array of sensitive user data and provide an attacker with significant remote control over a compromised device. While it lacks the advanced obfuscation techniques seen in top-tier malware, its extensive feature set makes it a severe threat to victim privacy and security.

Key Capabilities

Based on the static analysis, the malware's core functionality is orchestrated by the CMDService, which acts as a command-and-control (C2) handler. The malware achieves persistence by registering a BootUpReceiver, ensuring its service is automatically started whenever the device is rebooted. After installation, it attempts to hide its presence by removing its application icon from the launcher.

The malware's capabilities can be broken down into three main categories:

  1. Comprehensive Data Exfiltration: The application systematically steals and sends a wealth of personal and device information to its C2 server. This includes:

    • Personal Communications: SMS logs, call history, and the user's entire contact list.
    • Device Fingerprinting: A detailed profile of the device, including IMEI, IP address, phone number, SIM card details, OS version, and extensive battery statistics.

  2. Active Surveillance: The attacker is not limited to passive data theft and can initiate live surveillance actions on command, effectively turning the device into a remote spy tool. These actions include:

    • Recording ambient audio via the microphone (recordmic).
    • Recording active phone calls (recordcal).
    • Capturing the screen content (capscreen).
    • Taking photos using both the front and back cameras (frontcam, backcam).
    • Tracking the device's physical location via GPS and network providers (locGPS, locnetwork).

  3. Remote Device Control: Beyond surveillance, the malware grants the attacker the ability to perform actions on the victim's behalf and manage the malware itself. This includes:

    • Sending SMS messages to any number (sendsms).
    • Initiating phone calls (gavecall).
    • Remotely updating the malware to a new version (updateApp).
    • Downloading, uploading, and deleting files on the device's storage.

Assessment

Despite its powerful feature set, the malware exhibits signs of low-to-moderate sophistication. This assessment is based on several factors:

  • The C2 server address is hardcoded in plain text within the application.
  • The package name (com.example.appcode.appcode) is a generic default, suggesting a lack of professionalism.
  • The application was compiled as a debug build (android:debuggable="true"), which is a significant operational security mistake that makes the malware much easier to analyze.

In conclusion, while not technically advanced or stealthy, this malware is a dangerous and effective spyware tool. Its ability to provide a remote attacker with a complete view into a victim's digital and physical life—from private conversations to their precise location—poses a critical security risk. The collected evidence strongly suggests this tool is designed for targeted surveillance.

Indicators of Compromise (IOCs)

  • Package Name: com.example.appcode.appcode
  • C2 Server URL: http://android.viral91.xyz/admin/webservices
  • Main Service: com.example.appcode.appcode.CMDService